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(54) Distribution and usage rights enforcement 

(57) Described herein is a trusted rendering system 
for use in a system for controlling the distribution and 
use of digital works. The trusted rendering system facil- 
itates the protection of rendered digital works which 
have been rendered on a system which controls the dis- 
tribution and use of digital works through the use of dy- 
namically generated watermark information that is em- 
bedded in the rendered output. The watermark data typ- 
ically provides information relating to the owner of the 
digital work, the rights associated with the rendered 



copy of the digital work and when and where the digital 
work was rendered. This information will typically aid in 
deterring or preventing unauthorized copying of the ren- 
dered work to be made. The system for controlling dis- 
tribution and use of digital works provides for attaching 
persistent usage rights to a digital work. Digital works 
are transferred between repositories which are used to 
request and grant access to digital works. Such repos- 
itories are also coupled to credit servers which provide 
for payment of any fees incurred as a result of accessing 
a digital work 
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Description 

The present Invention refates to the fiefd of distribution and usage rights enforcement for digitally encoded works, 
and in particular to identification of non-authorized copies of digitally encoded works that have been rendered. 
5 US-A-5 629 980 describes a system which provides for the secure and accounted for distribution of digitally en- 

coded works (hereinafter digital works). However, once a digital work leaves the digital domain, e.g. it is printed out, 
played or otherwise rendered, it is no longer secure and can be subjected to unauthorized copying. This is a problem 
for all rendered digital works. 

Two known techniques for protecting digital works by imparting information onto the digital work itself are "water- 
10 marking" and "fingerprinting". The term watermark historically refers to a translucent design impressed on paper during 
manufacture which is visible when the paper is held to the light. Because watermarks are impressed using combinations 
of water, heat, and pressure, they are not easy to add or alter outside of the paper factory. Watermarks are used in 
making letterheads and are intended to indicate source and that a document is authentic and original and not a repro- 
duction. 

is One technique for creating such a watermark when a digital work is printed is described in US-A-5 530 759. In this 

approach the watermark image is combined with the digital image to create the watermarked image. The watermark 
image acts as a template to change the chromacity of corresponding pixels in the digital image thus creating the 
watermark. In any event, these notices server as social reminders to people to not make photocopies. 

The term watermark is now used to cover a wide range of technologies for marking rendered works, including text, 
20 digital pictures, and digital audio with information that identifies the work or the publisher. Some watermarks are no- 
ticeable to people and some are hidden. In some kinds of watermarks, the embedded information is human readable, 
but in other kinds the information can only be read by computers. 

The term fingerprint is sometimes used in contrast with watermarks to refer to marks that^carry information about 
the end user or rendering event rather than the document or publisher. These marks are called "fingerprints" because 
25 they can be used to trace the source of a copy back to a person or computer that rendered the original. 

The same technologies and kinds of marks can be used to carry both watermark and fingerprint information. In 
practice, it is not only possible but often desirable and convenient to combine both kinds of information - for watermarks 
and fingerprints - in a single mark. 

With respect to paper based documents, the simplest approach to providing a mark is a graphical symbol or printed 
30 notice that appears on each page. Th is is analogous to a copyright notice. Such notices can be provided by the publisher 
in the document source or added later by a printer. These notices serve as social reminders to people to not make 
photocopies. 

Other approaches hide information in the grey codes (or intensity) on a page. Although in principle such approaches 
can embed data in greycode fonts, their main application so far has been for embedding data in photographs. One set 

3S ol approaches is described by Cox et al. in a publication entitled "Secure spread spectrum watermarking for Multimedia", 
NEC Research Institute Technical Report 95-10, NEC Research Institute, Princeton, NJ 08540. To decode data en- 
coded in the approached described by Cox et al. requires comparing the encoded picture with the original to find the 
differences. The advantage of these approaches is that they can embed the data in such a way that it is very difficult 
to remove, not only by mechanical means but also by computational means. 

40 As described above, watermarks need not be perceptible to the viewer. For example, one technique is to embed 

data in the white space of a document. An example of this kind of approach was described by Brassil, et al. in a 
publication entitled "Electronic marking and identification techniques to discourage document copying", IEEE Journal 
on Selected Areas in Communications, Vol. 13, No. 6 pages 1495-1504, October 1995. The idea is to slightly vary the 
spacing of letters and lines in a digital work. The advantages of this approach are that it is not visible and is hard to 

45 remove. A disadvantage is that it has a very limited capacity for carrying data - only a few bytes per page. 

Another watermarking scheme for use in digital works representing images is available from the Digimarc Corpo- 
ration. The Digimarc watermark is invisible and is used to convey ownership information relating to the image. From 
the Digimarc World Web Page describing their technology (URL http7/www.digimarc.com/wt _page.html): "A Digimarc 
watermark imitates naturally occurring image variations and is placed throughout the image such that it cannot be 

so perceived. To further hide the watermark, the Digimarc watermarking process is perceptually adaptive - meaning it 
automatically varies the intensity of the watermark in order to remain invisible in both flat and detailed areas of an 
image." Reading of the Digimarc watermark is through a Digimarc reader which can extract the watermark from the 
image. 

Other related prior art includes US-A-5 444 779 which discloses a system for utilizing a printable, yet unobtrusive 
55 glyph or similar two-dimensional ly encoded mark to identify copyrighted documents. Upon attempting to reproduce 
such a document, a glyph is detected, decoded and used to accurately collect and/or record a copyright royalty for the 
reproduction of the document or to prevent such reproduction. Furthermore, the glyph may also include additional 
information so as to enable an electronic copyright royalty accounting system, capable of interpreting the encoded 
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information to track and/or account for copyright royalties which accrue during reproduction of all or portions of the 
original document. 

US-A-5 157 726 describes a system for document authentfcatfon which utilizes an fD cardcoupfed to a copying 
machine capable of reading the ID card. The copying machine imparts digitally encoded identification information, e. 

s g. a digital signature, onto a copied document based on information contained in the ID card. The copied document 
can then be authenticated by scanning the document to extract and decode the digital signature. 

In accordance with one aspect of the present invention, there is provided system for controlling the distribution 
and use of digital works comprising: means for creating usage rights, each instance of a usage right representing a 
specific instance of how a digital work may be used or distributed; means for attaching a created set of usage rights 

10 to a digital work including a rendering right, said rendering right for permitting said digital work to be rendered, said 
rendering right further specifying watermark information to be embedded into a rendering of said digital work, said 
watermark information including information related to the rendering of said digital work; a communication medium for 
coupling repositories to enable exchange of repository transaction messages; a general repository for storing and 
securely exchanging digital works with attached usage rights; and a rendering system comprising a rendering repository 

is for receiving a digital work to be rendered from said general repository and a rendering device for rendering digital 
works; characterised in that said rendering repository further comprises means for gathering watermark information 
specified in a rendering right associated with said digital work to be rendered; and means for encoding said watermark 
information for embedding in said rendered digital work. 

A trusted rendering system for use in a system for controlling the distribution and use of digital works is disclosed. 

20 The currently preferred embodiment of the present invention is implemented as a trusted printer. However, the descrip- 
tion of the invention herein applies to any rendering device. A trusted printer facilitates the protection of printed docu- 
ments which have been printed from a system which controls the distribution and use of digital works. The system for 
controlling distribution and use of digital works provides for attaching persistent usage rights to a digital work. Digital 
works are transferred in encrypted form between repositories. The repositories are used to request and grant access 

25 to digital works. Such repositories are also coupled to credit servers which provide for payment of any fees incurred 
as a result of accessing or using a digital work. 

The present invention extends the existing capabilities of the system for controlling distribution and use of digital 
works to provide a measure of protection when a document is printed. The present invention adds to the system the 
ability to include watermark information to a document when it is rendered (i.e. a Print right associated with the document 

30 js exercised). In the currently preferred embodiment of a trusted printer, the watermark is visible. However, other "in- 
visible" watermarking technologies may also be used. The watermark data typically provides information relating to 
the owner of a document, the rights associated with that copy of the document and information relating to the rendering 
event (e.g. when and where the document was printed). This information will typically aid in deterring or preventing 
unauthorized copying of the rendered work. It is worth noting that the present invention further provides for multiple 

35 types of watermarks to be provided on the same digital work. 

Specification of the watermark information is preferably added to a document at the time of assigning render or 
play rights to the digital work. With respect to printed digital works, at the time of page layout special watermark char- 
acters are positioned on the document. When the document is printed, a dynamically generated watermark font is 
created which contains the watermark information that was specified in the print right. The font of the watermark char- 

^0 acters is changed to the dynamically generated watermark font. The dynamically generated watermark font is created 
using an embedded data technology such as the glyph technology described in US-A-5 486 686. 

For a better understanding of the present invention, reference will now be made, by way of example only, to the 
accompanying drawings in which:- 

45 Figure 1 is a block diagram illustrating the basic interaction between repository types in a system for controlling 

the distribution and use of digital works in accordance with the present invention; 

Figure 2 is an illustration of a repository coupled to a credit server for reporting usage fees as may be used in a 
system for controlling the distribution and use of digital works; 

Figure 3 is an illustration of a printer as a rendering system as may be utilized in a system for controlling the 
so distribution and use of digital works; 

Figure 4 is a block diagram illustrating the functional elements of a trusted printer repository; 

Figure 5 is a flowchart of the basic steps for digital work creation for printing on a trusted printer; 

Figure 6 is an illustration of a usage rights specification for a digital work that may be printed on a user's trusted 

printer; 

ss Figure 7 is an illustration of a usage rights specification for a digital work that may only be printed on a shared 

trusted printer residing on a network; 

Figure 8 is an illustration of a printed page having a glyph encoded watermark; 

Figure 9 is an illustration of a set of sample embedded data boxes having different storage capacities as may be 
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used as watermark characters of a watermark font set; 

Figure 10 is an illustration of a print right having the watermark information specified; 

Figure 11 is a flowchart summarizing the basic steps for a creator to cause watermarks to be placed in thefr doc- 
uments; 

s Figure 12 is a flowchart of the steps required for printing a document; 

Figure 13 is a flowchart outlining the basic steps for extracting the embedded data; 

Figure 14 is an illustration of an implementation of the present invention as a trust box coupled to a computer 
based system; 

Figure 15 is a flowchart illustrating the steps involved in printing a digital work using the trust box implementation 
10 of Figure 14; 

Figure 16 is an illustration of an implementation of the present invention as a printer server; and 
Figure 17 is a flowchart illustrating the steps involved in printing a digital work using the printer server implemen- 
tation of Figure 16. * 

15 A trusted rendering device for minimizing the risk of unauthorized copying of rendered digital works is described. 

The risk of unauthorized copying of digital documents comes from three main sources: interception of digital copies 
when they are transmitted (e.g., by wiretapping or packet snooping); unauthorized use and rendering of digital copies 
remotely stored, and unauthorized copying of a rendereddigftal work. The design of trusted rendering devices described 
herein addresses all three risks. 

20 Trusted rendering combines four elements: a usage rights language, encrypted on-line distribution, automatic 

billing for copies, and digital watermarks for marking copies that are rendered. 

• Usage Rights language. Content providers indicate the terms, conditions, and fees for printing documents in a 
. machine-readable property rights language. 

25 • Encrypted Distribution. Digital works are distributed from trusted systems to trusted rendering devices via computer 
networks. To reduce the risk of unauthorized interception of a digital work during transmission, it is encrypted. 
Communication with the rendering system is by way of a challenge-response protocol that verifies the authorization 
and security of the rendering device. 

• Automatic Billing. To ensure a reliable income stream to content providers, billing of royalties is on-line and auto- 
30 matic. 

• Watenrtarks. Finally, to reduce the risk of copying of rendered works, the rendered work is watermarked to record 
data about the digital work and the rendering event. Furthermore, watermarks are designed to make copies dis- 
tinguishable from originals. As will be described bebw, watermark information is specified within a rendering or 
play right in the usage rights language. 

35 

An embodiment of the present invention is implemented as a trusted printer, and the description will be directed 
primarily to printers, but the concepts and techniques described therein apply equally to other types of rendering sys- 
tems such as audio players, video players, displays or multi-media players. 

An embodiment of the present invention operates in a system for controlling the distribution and use of digital 
40 works is as described in US-A-5 629 980. A digital work is any written, audio, graphical or video based work including 
computer programs that have been translated to or created in a digital form, and which can be recreated using suitable 
rendering means such as software programs. The system allows the owner of a digital work to attach usage rights to 
the work. The usage rights for the work define how it may be used and distributed. Digital works and their usage rights 
are stored in a secure repository. Digital works may only be accessed by other secure repositories. A repository is 
45 deemed secure if it possesses a valid identification (digital) certificate issued by a Master repository and can prove its 
identity in a challenge response protocol. 

The usage rights language for controlling a digital work is defined by a flexible and extensible usage rights grammar. 
The usage rights language of one embodiment is shown below. 

so 
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GRAMMAR FOR THE USAGE RIGHTS LANGUAGE 

work-specification -> 
(Work: 

(Rights-Language-Version: version-id) 
(Work-ID: work-id ) 0 pt 
(Description: text-description ) 0 pt 
(Owner certificate-spec ) 0 pt 
(Parts: parts-list ) 0 pt 

(Contents: (From: address ) (To: address )) 0 pt 
(Copies: copy-count ) 0 pt 
(Comment commenf-sfr) 0 pt 
rights-gnoup-tist ) 

part$-ii$t-> work-id | work-id parts-list 

copy-count -> integer-constant | unlimited 
rights-group-list -> 

rights-group-spec rights-group-iist 0 pt 

rights-group-spec -> 

( rights-group-header rights-group-name 
bundfe-specopi 

commentopi 
rights-iist ) 

rights-group-header -> 
Rights-Group: | 
Reference-Rights-Group: 

bundle-spec-> 

(Bundle: commentopt time-spec 0 pt access-specopt 
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fee-spec 0 pt watermark-specppt ) 
comment -> (Comment comment-str) 
rights-list -> right rights-listopt 

right -> (right-code commentopt time-specopt sccoss-specopt fee-spec 0 pt ) 

right-code -> 

transport-code | 
render-code | 
derivative-work-code \ 
file-management-code \ 
configuration-code 

transport-code -> transport-op-spec next-copy-rights-specopf 
transport-op-spec -> 

Copy: | 

Transfer | 

Loan: remaining-rights-specopt 
next-copy-rights-spec -> ( Next-Copy-Rights: next-set-of-rights ) 
remaining-rights-spec -> ( Remaining-Rights: rights-groups-list ) 
next-set-of-rights -> rights-to-add-specopt I rights-to-delete-specopt 
rights-to-add-spec -> ( Add: rights-groups-list ) 
rights-to-delete-spec -> ( Delete: rights-groups-list ) 

render-code -> 

Play: player-specopt I 
Print printer-specopt I 
Export: repository-spec 0 pt 

player-spec -> (Player, certificate-list ) 0 pt (Watermark: watermark-spec) 0 pt 
printer-spec -> (Printer certificate-list )opt (Watermark: watermark-spec)^ 
repository-spec -> (Repository: certificate-list ) op t 

derivative-work-code -> 
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derivative-op-spec editor-specopi next-copy-rights-specopt 
derivative-op-spec -> 
Edit | 
Extract | 
Embed: 

editor-spec -> (Editor certificate-list) 

fUe-management-code -> 

Backup: backup-copy-rights-specopt I 
Restore: | 

Verify: verifier-spec opt I 
Folder | 
Directory: | 
Delete: 

backup-copy-rights-spec -> Backup-Copy-Rights: rights-groups-list 
verifier-spec -> (Verifier certificate-list) 

configuration-code -> 
Install: | 
Uninstall: 

time-spec -> 

(Time: interval-type expiration-specQpx) 
interval-type -> 

fixed-interval-spec \ 

sliding-interval-spec \ 

metered-intervat-spec 
fixed-interval-spec -> (From: moment-spec ) 
sliding-interval-spec -> (Interval: interval-spec ) 
metered-intervahspec -> (Metered: interval-spec ) 
expiration-spec -> (Until: moment-spec ) 
moment-spec -> date-constant time-of-day-constantopt 
interval-spec -> 

calendar-units-constant | 

time-units-constant | 

calendar-units-constant time-units-constant 
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fee-spec -> (Fee: ticket-spec | monetary-spec ) 

ticket-spec -> (Ticket (Authority: authority-id) (Type: ticket-id )) 

monetary-spec -> 

(fee-type min-price-specopt max-price-specopt account-spec) 
tee-type -> 

(Per-Use: money-units )| 

(Metered: (Rate: money-units ) 

( Per interval-spec ) (By: intervaJ-spec) 0 pf | 

(Best-Price-Under money-units )\ 

(Call-For-Price: dealer-id ) | 

(Markup: percentage ) 

money-units -> fhating^constant (Currency: iSO-Curwncy-Code ) 0 pt 

account-spec -> (To: account-id ) (House: dearing-house-kJ) opt | 
(From: account-id) (House: clearing-house-id) 0 pt 
min-price-spec -> (Min: (Rate: money-units ) (Per interval-spec )) 
max-price-spec -> (Max: (Rate: money-units ) (Per interval-spec)) 

access-spec -> 

(Access: security-class-specopt 

user-specopt 

source-specopt 

destination-specopt ) 
-class-spec -> (Security: s-list ) 
s-list -> s-pair\ s-pair s-list 
s-pair-> (s-name: s-value ) 
s-name -> literal-constant 
s-value -> floating-constant 
user-spec -> (User authorization-spec) 
source-spec -> (Source: authorization-spec) 
destination-spec -> 

(Destination: authorization-spec) 
authorization-spec -> 

(Any: certificate-list ) | 

certificate-list 
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certificate-list -> certificate-spec certificateJistopt 

certificate-spec -> (Certificate: (Authority: authority-id) property-iistopt ) 

property-list -> property-pair \ property-pair property-list 

property-pair -> {property-name: property-value) 

property-name •> literal-constant 

property-value -> string-constant | literal-constant 

| floating-constant \ integer-constant 



watermark-spec -> watermark-info-list 

watermark-info-list -> watermark-str-spec 0 pt watermark-infb-iistopt | 

watermark-token-specoptwatermark-infd-listopt I 
watermark-object-specopt watermark-infb-iistopt 

watermark-str-spec -> (Watermark-Str watermark-sti) 

watermark-token-spec -> (Watermark-Tokens: watermark-tokens ) 

watermark-tokens -> watermark-token watermark-tokens 0 pt 

watermark-token -> all- rights | render-rights | 

user-name | user-id | useNocation | 
institution-name | institution-id | institution-location | 
render-name | render-id | render-location | render-time 

watermark-object-spec -> (Watermark-Object work-id ) 

Conceptually, a right in the usage rights grammar is a label attached to a predetermined behavior and defines 
conditions to exercising the right. For example, a COPY right denotes that a copy of the digital work may be made. A 
condition to exercising the right is the requester must pass certain security criteria. Conditions may also be attached 
to limit the right itself. For example, a LOAN right may be defined so as to limit the duration of which a work may be 
LOANed. Conditions may also include requirements that fees be paid. 

A repository is comprised of a storage means for storing a digital work and its attached usage rights, an external 
interface for receiving and transmitting data, a processor and a clock. A repository generally has two primary operating 
modes, a server mode and a requester mode. When operating in a server mode, the repository is responding to requests 
to access digital works. When operating in requester mode, the repository is requesting access to a digital work. 

Generally, a repository will process each request to access a digital work by examining the work's usage rights. 
For example, in a request to make a copy of a digital work, the digital work is examined to see if such "copying" rights 
have been granted, then conditions to exercise the right are checked (e.g. a right to make 2 copies). If conditions 
associated with the right are satisfied, the copy can be made. Before transporting the digital work, any specified changes 
to the set of usage rights in the copy are attached to the copy of the digital work. 

Repositories communicate utilizing a set of repository transactions. The repository transactions embody a set of 
protocols for establishing secure session connections between repositories, and for processing access requests to the 
digital works. Note that digital works and various communications are encrypted whenever they are transferred between 
repositories. 

Digital works are rendered on rendering systems. A rendering system is comprised of at least a rendering repository 
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and a rendering device (e.g. a printer, display or audio system). Rendering systems are internally secure. Access to 
digital works not contained within the rendering repository is accomplished via repository transactions with an external 
repository containing the desired digrtar work. As wilT be described in greater detail below, the currently preferred em- 
bodiment of the present invention is implemented as a rendering system for printing digital works. 

s Figure 1 illustrates the basic interactions between repository types in the present invention. As will become apparent 

from Figure 1, the various repository types will serve different functions. It is fundamental that repositories will share 
a core set of functionality which will enable secure and trusted communications. Referring to Figure 1, a repository 
101 represents the general instance of a repository. The repository 101 has two modes of operations; a server mode 
and a requester mode. When in the server mode, the repository will be receiving and processing access requests to 

10 digital works. When in the requester mode, the repository will be initiating requests to access digital works. Repository 
101 may communicate with a plurality of other repositories, namely authorization repository 102, rendering repository 
103 and master repository 104. Communication between repositories occurs utilizing a repository transaction protocol 
105. 

Communication with an authorization repository 1 02 may occur when a digital work being accessed has a condition 
is requiring an authorization. Conceptually, an authorization is a digital certificate such that possession of the certificate 
is required to gain access to the digital work. An authorization is itself a digital work that can be moved between 
repositories and subjected to fees and usage rights conditions. An authorization may be required by both repositories 
involved in an access to a digital work. 

Communication with a rendering repository 103 occurs in connection with the rendering of a digital work. As will 
20 be described in greater detail below, a rendering repository is coupled with a rendering device (e.g. a printer device) 
to comprise a rendering system. 

Communication with a master repository 1 05 occurs in connection with obtaining an identification certificate. Iden- 
tification certificates are the means by which a repository is identified as 'trustworthy". The use of identification certif- 
icates is described below with respect to the registration transaction. 
2S Figure 2 illustrates the repository 101 coupled to a credit server 201. The credit server 201 is a device which 

accumulates billing information for the repository 101. The credit server 201 communicates with repository 101 via 
billing transaction 202 to record billing transactions. Billing transactions are reported to a billing clearinghouse 203 by 
the credit server 201 on a periodic basis. The credit server 201 communicates to the billing clearinghouse 203 via 
clearinghouse transaction 204. The clearinghouse transactions 204 enable a secure and encrypted transmission of 
30 information to the billing clearinghouse 203. 

A rendering system is generally defined as a system comprising a repository and a rendering device which can 
render a digital work into its desired form. Examples of a rendering system may be a computer system, a digital audio 
system, or a printer. In the described embodiment, the rendering system is a printer. In any event, a rendering system 
has the security features of a repository. The coupling of a rendering repository with the rendering device may occur 
35 in a manner suitable for the type of rendering device. 

Figure 3 illustrates a printer as an example of a rendering system in which a printer system 301 has contained 
therein a printer repository 302 and a print device 303. It should be noted that the dashed line defining printer system 

301 defines a secure system boundary. Communications within the boundary is assumed to be secure and in the clear 
(i.e. not encrypted). Depending on the security level, the boundary also represents a barrier intended to provide physical 
integrity. The printer repository 302 is an instantiation of the rendering repository 1 05 of Figure 1 . Trteorioie£reppsitory 

302 willin some instances contain an e^hemeraloooy off a digital work w hich remains until it i s printed out by the p rint 
^" ~ In other instances, the printer repbsitoTy 302 may contain digital works suchasfonts, which will remain 

and be billed based on use. This design assures that all communication lines between printers and printing devices 
are encrypted, unless they are within a physically secure boundary. This design feature eliminates a potential fault" 

45 point through which the digital work could be improperly obtained. The printer device 303 represents the printer com- 
ponents used to create the printed output. 

Also illustrated in Figure 3 is the repository 304 which is coupled to a printer repository 302. The repository 304 
represents an external repository which contains digital works. 

Figure 4 is a block diagram illustrating the functional elements of a trusted printer repository. Note that these 

so functional elements also would be present in any rendering repository. Referring to Figure 4, the functional embodiment 
is comprised of an operating system 41 0, core repository services 41 1 , and print repository functions 41 2. The operating 
system 410 is specific to the repository and would typically depend on the type of processor being used to implement 
the repository. The operating system 401 would also provide the basic services for controlling and interfacing between 
the basic components of the repository. 

55 The core repository services 411 comprise a set of functions required by each and every repository. For a trusted 

printer repository the core repository services will include engaging in a challenge response protocol to receive digital 
works and decryption of received digital data. 

The print repository functions 412 comprise functionality for rendering a work for printing as well as gathering data 
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for and creating a digital watermark. The functionality unique to a print repository will become apparent in the description 
below (particularly with respect to the flowchart of Figure 12). 

Figure 5 is a flowchart frustrating the basic steps for creating a digital work that may be printed on a trusted printer 
so that the resulting printed document is also secure. Note that a number of well known implementation steps, e.g. 

s encryption of digital works, have been omitted in order to not detract from the basic steps. First, a digital work is written, 
assigned usage rights including a print right which specifies watermark information and is deposited in repository 1 , 
step 501. As will be described in more detail below, the assignment of usage rights is accomplished through the use 
of a rights editor. Deposit of the digital work into repository 1 is an indication that it is being placed into a controlled 
system. Next, repository 1 receives a request from repository 2 for access to the digital work, step 502 and repository 

io 1 transfers a copy of the digital work to repository 2, step 503. For the sake of this example, it is assumed that a trusted' 
session between repository 1 and repository 2 has been established. The challenge response protocol used in this 
interaction is described in US-A-5 629 980 and thus no further discussion on the challenge response protocol is deemed 
necessary. 

Repository 2 then receives a user request to print the digital work, step 504. Repository 2 then establishes a trusted 

is session with a printer repository of the printing system on which the digital work will be printed, step 505. The printer 
repository receives the encrypted digital work and determines if it has a print right, step 506. If the digital work has the 
print right, the printer repository decrypts the digital work and generates the watermark that will be printed on the digital 
work, step 507. The printer repository then transmits the decrypted digital work with the watermark to a printer device 
for printing, step 508. For example, the decrypted digital work may be a Postscript™ file of the digital work 

20 A key concept in governing sale, distribution, and use of digital works is that publishers can assign "rights" to works 

that specify the terms and conditions of use. These rights are expressed in a rights language as described in US-A-5 
629 980, and the grammar is as described above. It is advantageous to specify watermark information within a rendering 
or play right within the grammar for a number of reasons. First, specification in this manner is technology independent. 
So different watermarking technologies may be used or changed without altering the digital document. Second, multiple 

25 watermarking technologies may be applied to the same digital work, e.g. a visible watermarking technology and an 
invisible watermarking technology. So if the visible watermark is removed, the invisible one may remain. Third, the 
watermark information to be placed on the digital work can be associated with the rendering event, rather than the 
distribution event. Fourth, the watermark information can be extended to include the entire distribution chain of the 
digital work Fifth, security and watermarking capabilities of a rendering system may Be specified as a condition of 

30 rendering. This will further insure the trusted rendering of the digital work. 

As a result of these advantages, this type of specifying watermark information fully supports the Superdistribution 
of digital works. Superdistribution is distribution concept where every possessor of a digital work may also be a dis- 
tributor of the digital work, and wherein every subsequent distribution is accounted for. 

When a publisher assigns rights to a digital work, the usage rights enables them to distinguish between viewing 

35 (or playing) rights and print rights. Play rights are used to make ephemeral, temporary copies of a work such as an 
image of text on a display or the sound of music from a loudspeaker. Print rights are used to make durable copies, 
such as pages from a laser printer or audio recordings on a magnetic media. 

Figure 6 is an example of the usage rights for a digital work which enables trusted printing from a personal computer. 
Referring to Figure 6, various tags are used in for the digital work. The tags "Description" 601, "Work-ID" 602 and 

40 "Owner" 603 provide identification information for the digital work. 

Usage rights are specified individually and as part of a group of rights. The Rights-Group 604 has been given a 
name of "Regular". The bundle label provides for a fee payee designation 605 and a minimum security level 606 that 
are applied to all rights in the group. The fee payee designation 605 is used to indicate who will get paid upon the 
invocation of a right. The minimum security level 606 is used to indicate a minimum security level for a repository that 

45 wishes to access the associated digital work. 

The rights in the group are then specified individually. The us age rights specify no fee for transferring 608, deleting 
609 or playing 610, bu t does have a five dolla r fee for making adiqital copy k»7 it also has tv yn Prin t njhtQ fffj^anH 
612, bot h requiring ajrtjsted, printer (specified by 613)"Tfte-flrst Print right 61l jcnn hn oxftrrrinmi if thn us er has a 
particular pr epaid ticket (specified by 614). Th e second print right has a fla t fee of ten dollars (specified by 615). T he 

50 example assumes that the digital work can be transmitted lu a user's computer hy flyflreisin g^hftj^py^r^^ 

the usercarTplay or prim the w oTtrarnis or her TOnvenience jJsjncJhe Pla y and Print right s, Fees are logged from the 
users" workstation whenever a right is exercised 

Also illustrated in Figure 6 are watermark specifications 61 6 and 617. The particular detail for the watermark spec- 
ifications 616 and 617 is described below with reference to Figure 10. 

55 Figure 7 illustrates a different set of rights for the same digital book, in this version, the publisher does not want 

digital delivery to be made to a consumer workstation. A practical consideration supporting this choice may be that the 
publisher wants to minimize the risk of unauthorized digital copying and requires a higher level of security than is 
provided by trusted systems on available workstations. Instead, the publisher wants the book to be sent directly from 
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an on-line bookstore to a trusted printer. Printing must be prepaid via digital tickets (see fee specification 701). To 
enable digital distribution to authorized distributors but not directly to consumers, the publisher requires that both parties 
in a Copy and Transfer right to have an authorizing digitaf license (see certificate specifications 702 ancT703). Lacking 
such a license, a consumer can not access the work at a workstation. Instead, he or she must print the work. 
s Also illustrated in Figure 7 is the watermark specifications 704. The watermark specification. 704 is described in 

greater detail below with respect to Figure 10. 

Three main requirements for watermarks on trusted printers have been identified: 

• Social Reminder. This requirement is for a visible printed indication about whether photocopying is permitted. 
10 This could be a printed statement on the document or an established icon or symbol within a corporation indicating 

a security level for the document. 

• Auditing. This requirement is for a way to record information on the document about the printing event, such as 
who owns the print rights, whether photocopying is permitted, and what person or printer printed the document 
and when the document was printed. 

is m Copy Detection. This requirement is a way for differentiating between printed originals and photocopies. In gen- 
eral, this requirement involves using some print patterns on the page which tend to be distorted by photocopiers 
and scanners. For some patterns, the difference between copies and printed original is detectable by people; for 
other patterns, the difference is automatically detectable by a computer with a scanner. 

20 in the described embodiment, watermarks are created with embedded data technology such as glyph technology 

described in US-A-5 486 686. Using glyphs as digital watermarks on printed documents is described in pending US 
patent application serial no. 08/734,570 entitled ■Quasi-Reprographics With variable Embedded Data With Applications 
To Copyright Management, Distribution Control, etc.". 

Generally, embedded data technology is used to place machine readable data on a printed medium. The machine 
25 readable data typically is in a coded form that is difficult if not impossible for a human to read. Another example of an 
embedded data technology is bar codes. 

Embedded data technology can be used to carry hundreds of bits of embedded data per square inch in various 
grey patterns on a page. Preferably, glyphs are used because the marks representing the encoded data can be used 
to create marks which are more aesthetically appealing then other embedded data technologies. With careful design, 
30 glyphs can be integrated as graphical elements in a page layout. Glyphs can be used with any kind of document. Glyph 
watermarks to carry document identification can be embedded by the publisher; while glyphs carrying data about a 
print event can be added to the watermark at the time of printing by a printing system. Both document identification 
and fingerprinting data can be embedded in the same watermark. 

It should be noted that a disadvantage of glyphs and with all forms of visible and separable watermarks, is that 
35 with mechanical or computational effort, they can be removed from a document. 

Figure 8 illustrates an example of a document image having a glyph encoded watermark. A document page has 
various text 802 and a glyph encoded watermark 803. Note that the document is not limited to text and may also include 
image or graphical data. 

It has been determined that for integrating embedded data such as glyphs into trusted printing systems, the re- 
40 quirements include: 

• Document designers such as authors and publishers must be able to specify on a page by page basis the position 
and shape of watermarks, so that they can be incorporated into the design of the document. 

• The approach should be compatible with mainline document creation (e.g. word processing) systems. 
45 • The approach should work within the protocols of existing printers. 

• The approach should carry the fingerprint (or run-time) data in Usage Rights specifications. 

• The approach should not significantly slow down printing. 

Herein the term media-dependent data is used to refer to information about how a watermark is located and shaped 
50 within the document content. The approach depends on the use of Usage Rights to express the data to be encoded 
in the watermark. 

Publishers use a wide variety of tools to create documents. Different text editors or word processors provide dif- 
ferent ways and degrees of control in laying out text, pictures and figures. One thing that all text editors have is a way 
to locate text on a page. In effect, this is a lowest common denominator in abilities for all systems. 
55 Exploiting this common capability provides insight about how to use glyphs to represent watermarks: 

• Glyph watermarks are organized graphically as rectangular boxes. 

• Different sized boxes have different capacities for carrying data. On 300 dpi printers, about 300 bytes per inch can 
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be encoded in glyphs. Note that this can represent even more data if the original data is compressed prior to glyph 
encoding. Note for greater reliability, some data may be repeated redundantly, trading data capacity for reliability. 
• Each glyph watermark is represented to a document creation program as a character in an initial glyph watermark 
font. Boxes of different sizes and shapes are represented as different characters for the initial glyph watermark 
s font. When a digital work is printed, the encoding of the data is analogous to calculating and changing the watermark 

font. 

In practice, a designer laying out a document would open a page of a glyph catalog containing glyph boxes of 
different sizes. The glyph boxes in the catalog would probably contain just test data, e.g. a glyph ASCII encoding of 
io the words test pattern glyph Copyright © Xerox Corporation 1 997. All Rights Reserved". The designer would determine 
ahead of time how much data he wants to encode per page, such as 100, 300, 500, or 1000 bytes. The designer would 
copy a 'box' (actually a character) of the corresponding size into their document and locate it where they want it on 
the page, typically incorporating it as a design element. 

Figure 9 illustrates a set of sample watermark characters (i.e. glyph boxes) having different storage capacities. An 
is actual catalog would contain additional shapes and would be annotated according to the data-carrying capacity of the 

glyphs. 

Note that the glyph encoded watermarks can also be placed in figures, since drawing programs also have the 
capability to locate characters on a page. 

When the creator saves their work, the document creation program writes a file in which characters in the glyph 

20 font are used to represent the watermarks. If the creator prints the document at this stage, he will see more or less 
what the final sold versions will look like except that the test data encoded in the gray tones of the glyph box will later 
be replaced by the dynamically generated watermark data. 

When the author or publisher gets ready to publish the work and import it into a system for controlling distribution 
use of digital works, one of the steps is to assign rights to the work using a Rights Editor. The Rights Editor is a program 

25 with which a document owner specifies terms and conditions of using a digital work. 

This is the point at which document identification data and also print event data are specified. Figure 10 illustrates 
the watermark information specified for a print right. Note that the watermark information specification is optional within 
the grammar. Print right 1001 specifies that a purchaser of the document must pay ten dollars to print the document 
(at fee specification 1 002). The document must only be printed on a trusted printer of a given type (at printer specification 

30 1003). Furthermore, the watermark must embed a particular string Title: Moby Dog Copyright 1994 by Zeke Jones. 
All Rights Reserved" and also include various data about the printing event (at Watermark-Tokens specification 1004). 
Note that the watermark tokens specification are used to specify the "fingerprint" information associated with the printing 
of the digital work. Here the specified printing event data is who printed it out, the name of the institution printing it out, 
the name of the printer, the location of the printer and the time that the digital work was printed. As will be described 

35 below, this information is obtained at print time. 

Figure 11 is a flowchart summarizing the basic steps for a creator to cause watermarks to be placed in their doc- 
uments. As part of the layout of the textual document the designer determines how much data is required by the 
watermark, step 1101. Based on the amount of needed data, a suitable watermark character (e.g. glyph box) is selected, 
step 1 1 02. The watermark character is then positioned onto a page (or the pages) of the digital work, step 11 03. Finally, 

40 as part of the rights assignment for the digital work document, a print right with a watermark specification is made, step 
1 1 04. At this point, the document can be viewed with the watermark positioned in the desired place(s) on the document. 
However, the actual fingerprint and other identifying data in an embedded data format has not yet been created. This 
is created dynamically at print time as described below. 

The next steps for the digital work are that it is published and distributed. During this process, the digital work is 

45 protected by the encryption and other security systems that are employed and the rights travel with the document. Part 
of this process assures that any printer or workstation that has a copy of the document also has digital certificates 
which contain information identifying the trusted system, trusted printer, user, and so on (a process described in more 
detail in US-A-5 629 980). 

Figure 1 2 is a flowchart of the steps required for printing a document. At some point, a user decides to print a 
50 document, step 1 201 . Typically this is done via a print command invoked through some interface on the users system. 
This opens a challenge-response protocol between the "user" repository containing the document and the printer re- 
pository, step 1202. During this exchange, the security and watermark capabilities of the printer are checked. If the 
printer does not have the proper security or watermark capabilities, the digital work cannot be printed on that printer. 
The printer security level and watermark capabilities are specified in the identification certificate for the printer. Assum- 
55 ing that the printer has the proper security levels and watermark capabilities, the "user" repository then checks that 
the digital work has the required print right, step 1 203. Assuming that the digital work has required print right the user 
repository may interface with a credit server to report any required fees for the printing the digital work, step 1204. 
Note that the actual billing for the digital work may occur when the right is invoked either when the print exercised or 
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when it can be verified that the document has been printed. The latter case protects the user in the situation wherein 
printing may become inadvertently terminated before the entire digital work is printed. 

A computation is then performed to gather together the friformation to be embedded in the watermark and to 
incorporate it into a new font for the watermark character First the information must be gathered from digital identifi- 
s cation certificates belonging to the user or the trusted printer, such as names, locations, and the current date and time, 
step 1205. This information is 'printed' internally into computer memory, creating a bitmap image of glyph boxes of 
different sizes, step 1206. Creation and coding of glyphs is described in US-A-5 486 686, thus no further discussion 
on the encoding of glyph patterns is deemed necessary. In any event, this information is then assembled into a font 
definition, step 1 207. 

10 The digital work is then decrypted and downloaded into the printer, step 1 208. When the digital work is downloaded 

into the printer, part of the protocol is also to download the new "revised" glyph font, which now has characters corre- 
sponding to glyph boxes. This font looks more or less like the one that the publisher used in creating the document, 
except that the gray codes inside the font boxes now embed the data that the publisher wants to appear in the water- 
marks on the document. 

15 The printer then prints the digital work, step 1209. When the document is printed, the glyphs that appear on the 

pages contain the desired watermark data 

Figure 13 is a flowchart outlining the basic steps for extracting the embedded data. First, the printed document is 
scanned and a digital representation obtained, step 1 301 . The location of the watermark and the corresponding em- 
bedded data is then found, step 1302. The watermark may be found using techniques for finding characteristic pixel 

20 patterns in the digital representation of the printed document. Alternatively, a template for the document may have 
been created that could be used to quickly find the watermark location. In any event, the embedded data is extracted 
from the watermark and decoded, step 1303. The decoded data is then converted to a human readable form, step 
1304. This may be on a display or printed out. The data extracted is then used to identify who and where the unau- 
thorized reproduction of the digital work came from. 

25 Note that the means for extraction of the watermark data is dependent on the technology used to embed the 

watermark data. So while the actual extraction steps may vary, they do not cause departure from the spirit and scope 
of the present invention. 

In the following, two embodiments of trusted printer implementations are described: desktop implementations for 
personal printers and print server implementations for larger workgroup and departmental printers. 
30 There is a large and growing install base of personal printers. Typically, such printers are connected to personal 

computers by serial output ports. In other cases, they are installed on small local area networks serving a few offices. 

To serve this market a "trust box" is provided which would be positioned in between the personal computer and 
the personal printer The trust box" would act as a print repository for the trusted printer system. This is a market where 
the purchase of such hardware would be justified by the convenience of digital delivery to the office, for those documents 
35 that publishers are unwilling to send in the clear (i.e. not encrypted). The cost of the trust box offsets either waiting for 
mail delivery or driving to another location to pick up trusted printer output. 

Figure 14 is an illustration of a trust box in a computer based system. A personal computer 1401 is coupled to a 
network 1402, the personal computer 1401 itself being part of a trusted system in that it embodies a repository The 
personal computer would receive digital works through the network 1 402 (e.g. over the Internet). The personal computer 
40 1401 is further coupled to trust box 1403. The communications between the repository contained in the personal com- 
puter 1 401 and the trust box 1 403 are encrypted for security purposes. Finally, the trust box 1 403 is coupled to a printer 
1404. The printer 1404 receives decrypted print streams for printing. 

From a conceptual perspective, the personal computer combined with the trust box and printer form a trusted 
system. The trust box implementation would work with other system elements as illustrated in the steps of the flowchart 
45 of Figure 15. 

Referring to Figure 15, the consumer contacts the distributor of digital works using, for example, an Internet browser 
such as Netscape Navigator or Microsoft Explorer, step 1501. For the sake of brevity, it is assumed that a trusted 
session is established between the consumer's repository and the distributor's repository. Using known user interface 
methods, the consumer selects a work from a catalog or search service, step 1 502. In this example, it is assumed that 
50 the rights holder has associated a Print right with the document, and that all terms and conditions for exercising the 
right are met by the consumer and the trust box. 

Once a work is selected the two repositories begin a purchase transaction, step 1503. As described in US-A-5 
629 980, there are several variations for billing. For concreteness, it is assumed that there is a billing account associated 
with the trust box. 

55 Using a helper application (or equivalent), the consumer's repository sends a digital certificate to the distributor 

which contains the trust box's public key, step 1504. The certificate itself is signed by a well-known repository, such as 
the printer's manufacturer. 

The distributor repository encrypts the document using DES or some other encryption code, step 1505. The en- 
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cryption uses a key length that is compatible with requirements of security and legal constraints. The distributor repos- 
itory encrypts the document key in an envelope signed by the public key of the printer box, step 1506. The distributor 
repository then sends the encrypterfdbcument antfthe envelope along to the consumer's workstation. 

The personal computer stores the encrypted document in its repository along with the envelope containing the 
s key, step 1507. 

At some point, the user decides to print the document. Using a print program, he issues a print request, step 1508. 
His personal computer contacts the trust box, retrieving its identity certificate encrypted in its public key, step 1509. It 
looks up the watermark information in certificates from the user, the computer itself, and the printer, step 1510. It 
downloads the watermark font to the printer through the trust box, step 1511 . 
10 The print program begins sending the document, one page at a time to the trust box, step 1512. 

The trust box contacts the printer. It decrypts the document giving the document key to a decryption means (e.g. 
an internal decryption chip), step 1513. It transmits the document to the printer in the clear, step 1514. Note that this 
is one place where a digital copy could be leaked, if a printer emulator was plugged into the print box to act like a 
printer. Presumably the security level of the trust box is set to a value that reflects the level of risk. The document is 
is then printed, step 1515. Finally, the trust box reports billing to a Financial Clearinghouse, step 1516. 
The trusted print box design is intended to meet several main design objectives as follows: 
installed Base. This approach is intended to work within the current installed base of desktop or personal printers. 
Installing a trusted print box requires loading software and plugging standard serial cables between the printer, the 
trusted print box, and the computer. 
20 Security. The approach inhibits unauthorized photocopying through the use of watermarks. The approach inhibits 

digital copying by storing digital works in an encrypted form, where the consumer workstation does not have access 
to the key for decrypting the work. 

Printer Limitations. The approach assumes that the user will plug the trusted print box into a standard printer. The 
printer is assumed to not have the capability of storing extra copies of the digital work. 
25 Building box in Printer. Variations of this approach include incorporating the trusted print box into the printer itself. 

That variation has the advantage that it does not present the document in the clear along any external connectors. 

Weak Link. A weak link in this approach is that there is an external connector that transmits the document in the 
clear. Although this is beyond the average consumer, it would be possible to build a device that sits between the trusted 
printer box and the printer that would intercept the work in the clear. 
30 Billing Variations. In the version presented here, the trusted print box has secure storage and programs for man- 

aging billing records. A simpler version of the approach would be to keep track of all billing on-line. For example, one 
way to do this would be to have the document printing start at the time that the customer orders it. In this variation, the 
document is still sent in encrypted form from the publisher, through the consumer's workstation, decrypted, and sent 
to the trusted print box, to the printer. The difference is that the trusted print box no longer needs to keep billing records 
3S and that the consumer must start printing the document at the time that the document is ordered. 

Software-only Variation. Another variation on the desktop printing solution involves only software. The consumer/ 
client purchases the work and orders the right to print it once. The on-line distributor delivers the work, encrypted, one 
page at a time. The consumer workstation has a program that decrypts the page and sends it to the printer with wa- 
termarks, and then requests the next page. At no time is a full decrypted copy available on the consumer's computer. 
40 The weak link in this approach is that the consumer's computer does gain access to copies of pages of the work in the 
clear. Although this would be beyond the average consumer, it would be possible to construct software either to mimic 
runtime decryption software or modify it to save a copy of the work, one page at a time. 

Much of the appeal of trusted printers is to enable the safe and commercial printing of long documents. Such 
printing applications tend to require the speed and special features of large, shared printers rather than personal print- 
45 ers. Provided herein is an architecture for server-based trusted printers. 

Besides the speed and feature differences of the print engines themselves, there are some key differences between 
server-based trusted printers and desktop trusted printers. 

• Server-based printers store complete copies of documents in files. 

so • Server-based printers have operating systems and file systems that may be accessible via a network. 

• Server-based printers have consoles, accessible to dedicated or walk-up operators depending on the installation. 

These basic properties of server-based printers create their own risks for document security which need to be 
addressed. In addition, since server-based printers tend to be high volume and expensive, it is important that the trusted 
55 system features not significantly slow down competitive printer performance. 

From a conceptual perspective, the print server (including network services and spooling) combined with the printer 
forms a trusted system. 

In abstract and functional terms, the operation of the server implementation is similar to that of the trust box im- 
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plementation. The difference is that the server performs many of the operations of the trust box. 

There are many variations on how the print server may need to interoperate with the other system elements. For 
example, the transactfon with the printer may be with the user's computer or with an on-fine repository that the user fs 
communicating with. In the following, the transaction is described as happening from a repository, although that repos- 
s itory may be the user's own computer. 

Figure 16 is a block diagram illustrating a print server implementation in which a consumer workstation 1601 is 
coupled to publisher repository 1 602. The publisher repository 1 602 couples directly with a spooler in printer repository 
1 603. The spooler is responsible for scheduling and printing of digital works. The spooler 1 603 is coupled to the printer 
1604. 

io The server implementation would work with other system elements as illustrated in the steps of the flowchart of 

Figure 17 in which the repository contacts the trusted printer's server, engaging in a challenge-response protocol to 
verify that the printer is of the right type and security level to print the work, step 1701 . These interactions also give 
the printer public certificates for the repository and user, that are used for retrieving watermark information. 

The distributor encrypts the document using DES or some other code, using a key length that is compatible with 
is requirements of security and legal constraints, step 1 702. It encrypts the document key in an envelope signed by the 
public key of server, step 1703. It sends the encrypted document to the server, step 1704. 

Note that in some versions of this architecture, different levels of encryption and ■scrambling' (less secure) are 
used on the document at different stages in the server. It is generally important to protect the document in all places 
where it might be accessed by outside parties. The use of lower security encoding is sometimes used to avoid poten- 
20 tially-expensrve decryption steps at critical stages that would slow the operation of the printer. 

In any event, the server stores the encrypted document, step 1 705. At some point, the spooler gets ready to print 
the document. Before starting, it runs a process to create a new version of the glyph font that encodes the watermark 
data, step 1706. It looks up the required watermark information in its own certificates as well as certificates from the 
repository and user. 

25 Finally, the spooler begins imaging the document, one page at a time, step 1 707. 



Claims 

30 1 . A system for controlling the distribution and use of digital works comprising: 

means for creating usage rights, each instance of a usage right representing a specific instance of how a 
digital work may be used or distributed; 

means for attaching a created set of usage rights to a digital work including a rendering right, said rendering 
35 right for permitting said digital work to be rendered, said rendering right further specifying watermark informa- 

tion to be embedded into a rendering of said digital work, said watermark information including information 
related to the rendering of said digital work, 

a communication medium for coupling repositories to enable exchange of repository transaction messages; 
a general repository for storing and securely exchanging digital works with attached usage rights; and 
40 a rendering system comprising a rendering repository for receiving a digital work to be rendered from said 

general repository and a rendering device for rendering digital works; 

characterised in that said rendering repository further comprises means for gathering watermark information 
specified in a rendering right associated with said digital work to be rendered; and means for encoding said 
watermark information for embedding in said rendered digital work. 

45 

2. A system according to claim 1 wherein said rendering right indicates a security level and watermarking capabilities 
which a rendering system must have in order to render said digital work. 

3. A system according to claim 1 or 2 wherein said rendering right is a print right, said rendering system is a printing 
50 system and said rendering repository is a printer repository. 

4. A system according to any one of claims 1 to 3 further comprising digital work authoring means having means for 
placing a watermark character on a digital document comprising means for encoding glyph patterns based on said 
watermark information to create a dynamic watermark font, wherein said glyph patterns correspond to watermark 

55 characters. 

5. A system according to claim 3 wherein said printer repository is further comprised of means for causing a printing 
fee to be paid when said document is printed. 



16 



EP0 862 318 A2 



A system according to any one of claims 1 to 5 further comprising a watermark extraction means for extracting the 
watermark information from said digital work. 

A system according to claim 6 wherein said watermark extraction means comprises a scanner device for creating 
a bit mapped representation of a printed medium; means for locating said watermark in said bit mapped represen- 
tation of a printed medium; and means for decoding embedded data contained in said watermark. 

A method for providing a watermark on a rendered digital work in a system for controlling the distribution and use 
of digital works, the method comprising the steps of: 

a) a digital work creator assigning a rendering right to said digital work and storing in a distribution repository 
said rendering right specifying watermark information indicating information identifying a rendering event; 

b) a user obtaining an encrypted version of said digital work from said distribution repository and storing in a 
user repository; 

c) said user requesting that said digital work be rendered; 

d) said user repository determining if said digital work has the appropriate rendering right; 

e) if said digital work has the appropriate rendering right, said user repository communicating with a rendering 
repository to establish a trusted session; 

f) said user repository transferring said digital work to said rendering repository; 

g) said rendering repository gathering watermark information specified in said rendering right; 

h) said rendering repository encoding data for said watermark information; 

i) said rendering repository decrypting said digital work and embedding said watermark information; and 

j) said rendering repository transmitting said digital work with embedded watermark information to a rendering 
device for rendering. 

A method for providing a watermark on a rendered digital work in a system for controlling the distribution and use 
of digital works, the method comprising the steps of: 



a) a digital work creator assigning a rendering right to said digital work and storing in a distribution repository, 
said rendering right specifying criteria for a rendering system that must be satisfied before the digital work can 
be rendered; watermark information indicating information identifying a rendering event; 

b) a user requesting a rendered version of said digital work be rendered on a user rendering system having 
a rendering repository; 

c) said distribution repository determining if said user rendering system meets the specified criteria in said 
rendering right; 

d) if said rendering system satisfies said specified criteria, said distribution repository encrypting said digital 
work and sending to said rendering repository; 

e) said rendering repository gathering watermark information specified in said rendering right; 

f) said rendering repository encoding data for said watermark information; 

g) said rendering repository decrypting said digital work and embedding said watermark information; and 

h) said rendering repository transmitting said digital work with embedded watermark information to a rendering 
device for rendering. 
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Repository 1 receives a request from Repository 2 for access 
to the digital work 



r 



502 



Repository 1 transfers a copy of the digital work to repository 2 f~ 503 



Repository 2 then receives a user request to print the 
digital work 



r 



504 



Repository 2 then establishes a trusted session with a printer 
repository of the printing system on which the digital work 
will be printed 



r 



505 



Printer repository receives the encrypted digital work 
and determines that it has a print right 



r 



506 



i printer repository then decrypts the digital work and 
generates the watermark that will be printed on 
the digital work 



r 



507 



The printer repository then transmits the decrypted digital work 
with the watermark to a printer device for printing 



r 



508 



FIG. 5 
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(Work: 

601 (Description: TittaThe Moby Dog Story' 

Copyright 1994 Zeb Jones') 
dW~(Work-ID: "Vanrty-Press-RegistTy-lkjdf98734*) 
<M'~-*~(0wner: *Zeb-Jones-ID12345-acvoiuyr*) 

604 ■ — (Rights-Group: 'Regular* 
(Bundle: 

605— *- (Fee: (To:'Aaount-Jones-Pub24oHoui4398^) 

606— - (Attess: (Security-level: 2))) 

(Copy: (Fee: (Per-Use: 5))) 

608— - (Transfer: ) 

609— - (Delete:) 

610— -Ww) M 
6U—~(Pnrt: s-s 

(Fee: (Ticket: 1ones-Prepoid-Print-9085oijgr4')) 
(Printer: TrustedPrinter-6070-qoeiru45587*] ) 

v 613 



(Watermark-Str: Title: Moby Dog Copyright 1994 
by Zeb Jones. 
All Rights Reserved.') S*616 
(Watermark-Tokens: user-id institution-locotion f 
render-name render-locotion _J 
6J5 render-time) ))) 

6/2^ — -(Print: ^3 

(Fee: (Per-Use: 10)) 

(Printed: *TrustedPrinter-«070-qoeini4558r) ) )) 

(Wotennark: v 613 

(Watermark-Str: Title: Moby Dog Copyright 1994 ~" 
by Zeb Jones. 

All Rights Reserved.*) I 
(Watennark-Tokens: user-id institution-location f 
render-name render-location 
render-time) ))) j 

FIG. 6 
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(Work: 



701- 



(Description: TrttaThe Moby Dog Story' 

Copyright 1994 Zeke Jones') 
(Work-ID: 'Vonily^reH-Registry-llqdf98734') 
(Owner: Teke-Jones-ID12345-zxwoiuyr') 

(Rights-Group: 'Regular* 
(Bundle: 

.(Fee: (To:'Account-Jones-Pub24afdoui4398')) 
(Access: (Security-Level: 2)) 
(Copy : (Fee:(Per-Use:5)) 

(Access: (Destinotion-Aurhorizotion: 'Jones-Dijtributor-9845kjh' ))) 
(Transfer: (Access: (DesHnohon-Authorizoh'on: *Jones-Distributor-9845kjh' )))) 



702 



(%:) 
(Print: 



) 



703 



704 < 



(Fee: (Ticket: *Jones-Prepaid-Print-9085oijgr4')) 
(Printer: TrusfedPrinter-6070-qoeiru45587') ))) 
(Watermark: 

(Wafermork-Str: Title: Moby Dog Copyright 1994 
by Zeke Jones. 
All Rights Reserved.') 
(Watermark-Tokens: user-id insfitution-locntion 

render-name render-location 
render-time) ))) 



FIG. 7 
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ZeteZock- The Moby Dog Story 
Copyright 1994 Zeke Jonas. ALL RIGHTS RESERVED 



THIS IS A STORY ABOUT A DOG NAMED MOBY HE WAS A BIG DOG THAT ^ 
THOUGHT HE WAS A WHALE. THIS IS A STORY ABOUT A OOG NAMED MOBY HEWASA 
8IG OOG THAT THOUGHT HE WAS A WHALE. THIS IS A STORY ABOUT A OOG NAMED 
MOBY HE WAS A BIG DOG THAT THOUGHT HE WAS A WHALE THIS IS A STORY ABOUT 
A DOG NAMED MOBY HE WAS A BIG DOG THAT THOUGHT HE WAS A WHALE. THIS IS A 
STORY ABOUT A DOG NAMED MOBY HE WAS A BIG DOG THATTHOUGHT HE WAS A 
WHALE. THIS IS A STORY ABOUT A OOG NAMED MOBY HE WAS A BIG OOG THAT 
THOUGHT HE WAS A WHALE THIS IS A STORY ABOUT A DOG NAMED MOBY HE WAS A 
BIG OOG THAT THOUGHT HE WAS A WHALE THIS IS A STORY ABOUT A DOG NAMED 
MOBY HE WAS A BIG DOG THAT THOUGHT HE WAS A WHALE THIS IS A STORY ABOUT 
A DOG NAMED MOBY HE WAS A BIG DOG THATTHOUGHT HE WAS A WHALE THIS IS A 



STORY ABOUT A DOG NAMED MOBY HE WAS A BIG DOG THAT THOUGHT HE WAS A 
WHALE THIS IS A STORY ABOUT A DOG NAMED MOBY HE WAS A BIG OOG THAT 



THOUGHT HE WAS A WHALE THIS B A STORY ABOUT A DOG NAMED MOBY HEWASA 
BIG DOG THAT THOUGHT HE WAS A WHALE THIS IS A STORY ABOUT A DOG NAMED 
MOBY HE WAS A BIG DOG THAT THOUGHT HE WAS A WHALE. THIS IS A STORY ABOUT 
A DOG NAMED MOBY HE WAS A BIG DOG THAT THOUGHT HE WAS A WHALE THIS IS A 
STORY ABOUT A DOG NAMED MOBY HE WAS A BIG DOG THATTHOUGHT HE WAS A 
WHALE THIS IS A STORY ABOUT A DOG NAMED MOBY HE WAS A BIG DOG THAT 
THOUGHT HE WAS A WHALE THIS IS A STORY ABOUT A DOG NAMED MOBY HEWASA 
BIG DOG THATTHOUGHT HE WAS A WHALE THIS IS A STORY ABOUT A DOG NAMED 
MOBY HE WAS A BIG DOG THAT THOUGHT HE WAS A WHALE. J 




FIG. 8 
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16x16 Glyph 
20x20 Glyph 

25x25 Glyph 
30x30 Glyph 

40x40 Glyph 
50x50 Glyph 

60x60 Glyph 



16x60 Glyph 
60x16 Glyph 



FIG. 9 
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1001< 



r (Print: 

/(Xtf-MFe* (Per-Use: 10)) 
/«?J^(Printed: Tru$tedPrinfBr-6070-qo8iru45587") ) )) 
(Watermark: 

(Wotermork-Str: Title: Moby Dog Copyright 1994 
by Zeb Jones. 

All Rights Reserved.') 
1004 (Watermark-Tokens: user-id institution-locotion 

render-name render-loartion 
render-time) ))) 

FIG. 70 



Document designer determines how much data 
required for watermark 



r 



Document designer selects watermark 
character based on how much data is required 



r 



not 



1102 



Document designer positions watermark 
character onto page of digital work 



r 



1103 



Document creator provides print usage s~1104 
right with a watermark specification i 

FIG. 7 7 
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1 




Open a Challenge-Response protocol between the 'User* 
repository and the printer repository 






The user repository checks t 


lot the user has print rights | 


< 


r 


The user repository interfaces with the credit server 
to report billing 






The printer repository then gathers the watermark 
information specified in the print right 


. . < 





f 



1201 



r 



1202 



1203 



r 



1204 



Print information as glyph boxes of various sizes f ~ 



1206 



Assemble the glyph box information as font definition 
for digital watermark 






Decrypt digital work and download to printer with new font 
definition for digital watermark 


— < 





r 



r 



1207 



1208 



1209 



FIG. 12 



26 



• 

EP0 862 318 A2 



Scan print document to create digital 
representation 



r 



1301 



find the location of the watermark and 
corresponding embedded data 



r 



1302 



Extract embedded data and decode ^ 



1303 



Convert decoded data into a human readable ^~1304 
form 

FIG. 13 
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. . ,^1501 

User contacts distributor over the internet f 

| Uttr/corisumBrselecbadigitolwortbmdistnlHrtorartalofl J 



r 



trust box's public key 

i s- 1505 



Distributor repository encrypts the document \ 



Distributor repository encrypts the document key in an envelope signed by the 
public key of the printer box and sends to consumer 

I 



1506 



Consumer repository stores encrypted document ond envelope f 



1507 



1 \r m 

User deddes to print document j 

1509 



Usenepositaryj^ \ 



Wotermork font downlooded to printer through trust box \ 



1 >J5/2 

Document sent to trust box one potje ot o time \ 



i s-1513 



Trust box decrypts document _^ 

1 ' wfM 



r 



T ^ J 51 5 

Print device prints document Y 



Trust box reports billing to financial deoringhouse \ 

FIG. 15 
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Consumer 
Workstation 




FIG. 16 
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Repository and print server establish trusted session "~|r^~ 



1701 



Distributor repository encrypts the document 



r 



Distributor repository encrypts the document key in an envelope 
signed by the public key of the server 



r 



Distributor repository sends encrypted document to the server 



1702 



1703 



1704 



Print server collects watermark information to create new watermark f- 1705 
font that encodes watermark data 



Print server stores the encrypted document 



r 



r 



1706 



1707 



FIG. 77 
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